From 613fcfee5cbe9f40e3cbe35d3f8057b88d0a35fc Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Mon, 12 Nov 2018 11:15:08 +0100 Subject: [PATCH] Don't allow writes to runtime files in /etc We mistakenly bind-mounted the runtime /usr/etc files read-write in /etc, which means that application could modify some parts of the runtimes (at least when using a per-user installed runtime). Fix this by using a --ro-bind. (cherry picked from commit 08e47e954443520962e0e0f8b9a5aac0017ae5c8) --- common/flatpak-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 90b435fe..04b7c800 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -2464,7 +2464,7 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, } else { - flatpak_bwrap_add_args (bwrap, "--bind", src, dest, NULL); + flatpak_bwrap_add_args (bwrap, "--ro-bind", src, dest, NULL); } } }